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IBM Global Services (ITS-SD) 


BO-Nr. 


Location 


Customer Address 


ONTOP Service 


ONTOP (ONline Technical OPeration) is a tool for remote failure analysis on OS/390 
systems, which IBM provides along with software service contracts. 

ONTOP is available since 1986. 

In the beginning it was only used on SNA PU2 to PU4 switched point to point connections. 
In 1990 the first non switched SNI network to network connections were introduced. 

Since September 1996 we also offer switched SNI network to network connections. 

All those connections are SNA based. 

With this “Request for an ONTOP IP connection” it is now possible, to connect the IBM 
ONTOP host and the customer ONTOP host via IP. 

ONTOP allows an IBM specialist sitting somewhere in the IBM SNA network to access the 
NVAS/ONTOP security gateway and pass via one of the implemented network connections 
to the predefined TSO/ONTOP environment on the customer system. 

This means: 

Bring the expert to the problem and not the problem to the expert! 
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Request for an ONTOP 


IBM responsibilities 

1. Add customers to NVAS/ONTOP 

2. Add customers on the IBM Router 

3. Provide the technical description of the connection (part of the request sheet) 

4. Support for installation, tailoring and test of TSO/ONTOP on customer systems 

5. Decision of ONTOP usage 

Customer responsibilities 

1. Provide the necessary hardware for the network connection 

2. Establishing of all IP addresses and routes needed for the connection 

3. Provide at least one TSO/ONTOP Userid for IBM on the ONTOP system 

4. Adapt system changes affecting TSO/ONTOP to this environment 

5. Make sure access to TSO/ONTOP is available when ever requested by IBM 

Chargement 

The ONTOP Service is part of IBM software service contracts, so no additional fee has to be 
paid. 

As IBM initiates the dial process, IBM also pays for the connection traffic. 
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Copyright 

TSO/ONTOP which is installed on customer systems is “IBM Copyright”. 

Without IBM approval the customer is not allowed to copy it or make it available to third 
parties. 

Customers should never change the TSO/ONTOP code without informing IBM. 

Data Security 

Data security demands data classification. 

So everybody being owner of data must classify it’s data and only allow access to the data 
based on this classification. 

Customer data being under control of IBM is always treated as IBM confidential. 

Each IBM employee accepts, based on his working contract (which reflects to IBM policies 
and security guidelines), to do so. 

Further on IBM will accept all legal data security guidelines issued by countries where IBM 
customers are located. 

To make sure those security guidelines are followed, IBM has implemented all the necessary 
technical and organizational standards. 

We are certain, that the use of ONTOP will not provoke any security conflict but help to 
further improve your system availability. 

As confirmation to the use of ONTOP, we would like you and the responsible IBM branch 
office to sign this request and send it back to the FAX number given under IBM contact. 


Signature IBM (CE-BO) 


Signature of the customer 


Location/Date 


Location/Date 
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Request for an ONTOP 


Customer Prerequisites 

For a customer in order to connect to IBM via IP, he must meet the following prerequisites: 

1. There must be a valid OS/390 IBM software service contract 

2. The ONTOP host must be connected to an ISDN router with access to the public network 

3. OS/390-CS must be installed and a TELNET server must be active 

4. Customer must not use one of the IBM reserved “private networks” 

• 172.16.0.0 SM: 255.255.0.0 

• 172.17.0.0 SM: 255.255.0.0 

• 192.168.0.0 SM: 255.255.255.0 

• 192.168.1.0 SM: 255.255.255.0 

5. A static route must be assigned into one of the IBM reserved “private networks” 

6. IP addresses on the link level (router/router) can be chosen by the customer 

7. Customer router must have CHAP capability 
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Technical Description 

ONTOP IP is based on an online connection between IBM (IT Center Mainz) and customers. 
It consists of NVAS/ONTOP on the IBM side, a point to point network connection and the 
failure analysis component (TSO/ONTOP) on the customer side. 

Components of ONTOP 

• Netview Access application (NVAS/ONTOP) on the IBM side 

• ISDN/PPP/IP network connection 

• REXX/ISPF Application (TSO/ONTOP) on the customer side 

Netview Access Application (NVAS/ONTOP 

NVAS/ONTOP on the IBM side is a certified security gateway which guarantees controlled 
and documented access of non traversing sessions between IBM and customer systems. 

Network connection 

The network connection is implemented as switched ISDN/PPP/IP. It is a point to point 
connection between a router of the IBM IT-Center in Mainz and the dialed customer router. 
The connection is established when an IBM specialist selects a customer in NVAS/ONTOP. 
Then NVAS/ONTOP activates TELNET and the IBM router which is using DoD (Dial on 
Demand) connects to the customer system. After 30 minutes of idle time, or on request of the 
specialist the connection is closed again. 

REXX/ISPF Application (TSO/ONTOP) 

The REXX/ISPF application TSO/ONTOP provides a “Common User Access” for IBM 
failure analysis tools in a predefined environment on the customer system. 
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Access Security 

To respond to customer requests for higher security standards on IP connections, three levels 

of security are used. 

1. NVAS/ONTOP on the IBM side makes sure, that only people having userid/password for 
this system can get access to customer systems. All activities on the gateway will be 
logged and kept for 60 days. Access without using NVAS/ONTOP is not possible. 

2. CHAP (Challenge Handshake Authentication Protocol) is used on the router link level. 

It uses a “3-Way Handshake” method, to protect the connection from unauthorized use. 

3. TSO/ONTOP an the customer system can only be used, by providing a valid userid and a 
valid password. 

IBM will accept any additional protection method on the customer side, as long as it doesn’t 

hinder IBM when using ONTOP. 
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ONTOP userid and password administration 

Implementation 

To implement the ONTOP userid/password administration as simple and secure as possible, 
the following RACF concept is recommended. 

• Create the ONTOP userids by using the following attributes: 

- DEFAULT-GROUP = Onnnnnnn - (nnnnnnn = 7 digit customer number) 

- PASS-INTERVAL = 3 

• Create a group called ONTOP 

• Connect all ONTOP users to group ONTOP 

• Grant “SPECIAL” to the ONTOP maintenance user - (default ONTOPOO) 

(This user must at least have update to data set *.*.TOPCNTL) 

Along with the userid administration routines delivered by ONTOP, this set up provides a 
“push button solution” to the human doing the userid/password administration. 

Usage 

For customers it is optional to maintain userid/password administration themselves, or leave 
it to the ONTOP team. If not left to the ONTOP team, customers should only provide an 
ONTOP userid if the requester is able to name the problem number he likes to work on. In 
case of uncertainty customers should ask for the IBM employee number and cross check with 
the ONTOP help desk, phone 0049-6131-84-5003. 

Remark: The initial password is always Onnnnnnn and therefore not distributed. 

The user must enter a new password during logon. 


Advantages: 

• No password distribution 

• Only people knowing the problem number will receive a userid 

• Only people knowing the customer number will be able to use the userid 

• Personalized passwords as 1:1 relation for user : password is guaranteed 

This concept demands a minimum of 3 ONTOP userids. Depending on problem occurrence 
the number of userids should be increased. 

If there is a problem in using a dedicated ONTOP admin userid, it is also possible to use any 
other userid, as long, as the following prerequisites will be met: 

• Userid has the authority to reset the passwords for the ONTOP users. 

• Userid has at least update access to all the ONTOP data sets 

Additional customer requests can be reflected, as long as they follow the ONTOP concept. 
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Golden rules for an efficient use of TSO/ONTOP 

The efficiency of TSO/ONTOP is directly bound to it’s usability. 

Only a TSO/ONTOP optimal maintained and perfectly adapted to the customer environment 
can provide the best efficiency possible in an unforeseen problem situation. 

Therefore the following rules should be followed when using TSO/ONTOP: 

1. The ONTOP logon procedure and the control tables should always kept up to date: 

- TOPLOG " ONTOP logon profile 

- TOPENVTO ONTOP environment control tables 

- TOPENVnn ONTOP allocation control tables 

2. The IPCS parmlib members must match the level of OS/390 

- BLSCECT IPCS verbs for dump formatting 

- BLSCECTX IPCS verbs for dump formatting 

- BLSCUSER “IPCS-NON-Standard Verbs for dump formatting 

- IPCSPRxx IPCS session parameter 

3. ONTOP data sets should not be candidates for migration 

4. ONTOP userids should be given a TSO region size of 256MB 

5. ONTOP userids should be placed in a optimized Service class (short batch) 

6. ONTOP usage, environment and procedure should be known to potential users 


ONLY A OPTIMAL MAINTAINED ONTOP IS OF VALUE 
A UNMAINTAINED ONTOP IS USELESS ! 
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Connection Data (please fill in) 


ISDN Telephone Number: 

(Backup Telephone Number) 




Hardware Router 

(IB M/Cisco/etc.) 




Security Data for CHAP 


Attention, CHAP implementation is 
provider specific. 

Other names could be used? 

(PW by phone) 

CHAP-User: 

CHAP-Password: 

PPP-User: 

PPP-Password: 



IP Configuration Dial Circuit 


IP address ISDN Dial Circuit (PPP-Link) 

IP address ISDN Dial Circuit (PPP-Link) 
Subnet Mask 

IP-Kunde: 

IP-IBM: 

SM: 255.255.255.252 



IP Configuration Host 


Host TSO Data 


IP Address 

IP: 

User / Password 
(PW by phone) 

User: 

Password: 



IP Configuration Host (second Host) 


Host TSO Data 


IP Address 

IP: 

TSO User / Password 
(PW by phone) 

User: 

Password: 



Source addresses given by IBM for static 
routes. 

Please select one. 

□ 172.16.0.2 (255.255.255.255) 

□ 172.17.0.2 (255.255.255.255) 

□ 192.168.0.2 (255.255.255.255) 

□ 192.168.1.2 (255.255.255.255) 
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Contacts (please fill in the customer part) 

General Customer Data 


Customer Name 


Customer Number 


Software Service Contract Number 



Customer Contact 


Name of the ONTOP contact person 


Telephone Number 


FAX 


E-Mail Address 




Name of the router expert 


Telephone Number 


FAX 


E-Mail Address 



Customer / IBM Contact 


IBM Employee Name 


Telephone Number 


FAX 


E-Mail Address 



IBM ONTOP Contact 


Name 

Mr. ONTOP 

Telephone Number 

0049-6131-84-5003 

FAX 

0049-6131-84-6611 

E-Mail Address 

ontop@de.ibm.com 

Name 

Alexander Damm 

Telephone Number 

0049-6131-84-5646 

FAX 

0049-6131-84-6611 

E-Mail Address 

adamm@de.ibm.com 

Name 

Heinz-Dieter Hassinger 

Telephone Number 

0049-6131-84-5477 

FAX 

0049-6131-84-6611 

E-Mail Address 

hhd@de.ibm.com 
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